Accepting request 872987 from GNOME:Next

- Update avahi-daemon-check-dns.sh from Debian. Our previous
  version relied on ifconfig, route, and init.d.
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
  when invoking avahi-daemon-check-dns.sh (boo#1180827
  CVE-2021-26720).
- Add sudo to requires: used to drop privileges.

OBS-URL: https://build.opensuse.org/request/show/872987
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=182
This commit is contained in:
Dominique Leuenberger 2021-02-19 21:27:57 +00:00 committed by Git OBS Bridge
parent cbc274f781
commit bdcdeadf85
7 changed files with 66 additions and 74 deletions

View File

@ -1,5 +1,5 @@
--- avahi-daemon-check-dns.sh.debian 2012-03-04 05:24:07.000000000 +0100 --- avahi-daemon-check-dns.sh.debian 2021-01-27 15:28:07.832795734 -0600
+++ avahi-daemon-check-dns.sh 2012-05-23 20:06:27.121923772 +0200 +++ avahi-daemon-check-dns.sh 2021-01-27 15:39:35.364471899 -0600
@@ -5,15 +5,15 @@ @@ -5,15 +5,15 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin PATH=/bin:/usr/bin:/sbin:/usr/sbin
@ -13,48 +13,16 @@
+AVAHI_DAEMON_DETECT_LOCAL=yes +AVAHI_DAEMON_DETECT_LOCAL=yes
-test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon -test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon
+test -f /etc/sysconfig/avahi-daemon && . /etc/sysconfig/avahi-daemon +test -f /etc/sysconfig/avahi && . /etc/sysconfig/avahi
-if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "1" ]; then -if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "1" ]; then
+if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "yes" ]; then +if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "yes" ]; then
exit 0 exit 0
fi fi
@@ -96,12 +96,8 @@ --- avahi-daemon.if-up.debian 2021-01-27 16:09:50.922179542 -0600
# no unicast .local conflict, so remove the tag and start avahi again +++ avahi-daemon.if-up 2021-01-27 16:11:54.942842665 -0600
if [ -e ${DISABLE_TAG} ]; then @@ -3,10 +3,10 @@
rm -f ${DISABLE_TAG}
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
- invoke-rc.d avahi-daemon start || true
- else
- if [ -x "/etc/init.d/avahi-daemon" ]; then
- /etc/init.d/avahi-daemon start || true
- fi
+ if [ -x "/etc/init.d/avahi-daemon" ]; then
+ /etc/init.d/avahi-daemon start || true
fi
fi
}
@@ -110,14 +106,8 @@
[ -e ${DISABLE_TAG} ] && return
if [ -x /etc/init.d/avahi-daemon ]; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
- invoke-rc.d --force avahi-daemon stop || true
- else
- if [ -x "/etc/init.d/avahi-daemon" ]; then
- /etc/init.d/avahi-daemon stop || true
- fi
- fi
- if [ -x /usr/bin/logger ]; then
+ /etc/init.d/avahi-daemon stop || true
+ if [ -x /bin/logger ]; then
logger -p daemon.warning -t avahi <<EOF
Avahi detected that your currently configured local DNS server serves
a domain .local. This is inherently incompatible with Avahi and thus
--- avahi-daemon.if-up.debian 2012-03-04 05:24:07.000000000 +0100
+++ avahi-daemon.if-up 2012-05-24 19:38:04.347420848 +0200
@@ -3,7 +3,7 @@
# Don't run the avahi-daemon unicast local check while bringing up # Don't run the avahi-daemon unicast local check while bringing up
# the loopback device; it's not necessary until we bring up a real network # the loopback device; it's not necessary until we bring up a real network
# device # device
@ -63,3 +31,7 @@
# If we have an unicast .local domain, we immediately disable avahi to avoid # If we have an unicast .local domain, we immediately disable avahi to avoid
# conflicts with the multicast IP4LL .local domain # conflicts with the multicast IP4LL .local domain
if [ -x /usr/lib/avahi/avahi-daemon-check-dns.sh ] ; then
- exec /usr/lib/avahi/avahi-daemon-check-dns.sh
+ sudo -u avahi -g avahi /usr/lib/avahi/avahi-daemon-check-dns.sh
fi

View File

@ -21,7 +21,20 @@ ensure_rundir() {
if [ ! -d ${RUNDIR} ] ; then if [ ! -d ${RUNDIR} ] ; then
mkdir -m 0755 -p ${RUNDIR} mkdir -m 0755 -p ${RUNDIR}
chown avahi:avahi ${RUNDIR} chown avahi:avahi ${RUNDIR}
fi fi
}
log_disable_warning() {
if [ -x /usr/bin/logger ]; then
logger -p daemon.warning -t avahi <<EOF
Avahi detected that your currently configured local DNS server serves
a domain .local. This is inherently incompatible with Avahi and thus
Avahi stopped itself. If you want to use Avahi in this network, please
contact your administrator and convince him to use a different DNS domain,
since .local should be used exclusively for Zeroconf technology.
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
EOF
fi
} }
dns_reachable() { dns_reachable() {
@ -31,12 +44,17 @@ dns_reachable() {
# If there is no local nameserver and no we have no global ip addresses # If there is no local nameserver and no we have no global ip addresses
# then we can't reach any nameservers # then we can't reach any nameservers
if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then
# Get addresses of all running interfaces if [ -x "$(which ip)" ]; then
ADDRS=$(LC_ALL=C ifconfig | grep ' addr:') ADDRS=$(ip addr show scope global | grep inet)
# Filter out all local addresses ROUTES=$(ip route show 0.0.0.0/0)
ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link') elif [ -x "$(which ifconfig)" -a -x "$(which route)" ]; then
# Check we have a default route # Get addresses of all running interfaces
ROUTES=$(route -n | grep '^0.0.0.0 ') ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
# Filter out all local addresses
ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
# Check we have a default route
ROUTES=$(route -n | grep '^0.0.0.0 ')
fi
if [ -z "${ADDRS}" -o -z "${ROUTES}" ] ; then if [ -z "${ADDRS}" -o -z "${ROUTES}" ] ; then
return 1; return 1;
fi fi
@ -55,7 +73,8 @@ dns_has_local() {
fi fi
fi fi
OUT=`LC_ALL=C host -t soa local. 2>&1` # Use timeout when calling host as workaround for LP: #1752411
OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1`
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
if echo "$OUT" | egrep -vq 'has no|not found'; then if echo "$OUT" | egrep -vq 'has no|not found'; then
return 0 return 0
@ -96,12 +115,10 @@ enable_avahi () {
# no unicast .local conflict, so remove the tag and start avahi again # no unicast .local conflict, so remove the tag and start avahi again
if [ -e ${DISABLE_TAG} ]; then if [ -e ${DISABLE_TAG} ]; then
rm -f ${DISABLE_TAG} rm -f ${DISABLE_TAG}
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then if [ -d /run/systemd/system ]; then
invoke-rc.d avahi-daemon start || true systemctl start avahi-daemon.socket avahi-daemon.service || true
else elif [ -x "/etc/init.d/avahi-daemon" ]; then
if [ -x "/etc/init.d/avahi-daemon" ]; then /etc/init.d/avahi-daemon start || true
/etc/init.d/avahi-daemon start || true
fi
fi fi
fi fi
} }
@ -109,24 +126,12 @@ enable_avahi () {
disable_avahi () { disable_avahi () {
[ -e ${DISABLE_TAG} ] && return [ -e ${DISABLE_TAG} ] && return
if [ -x /etc/init.d/avahi-daemon ]; then if [ -d /run/systemd/system ]; then
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then systemctl stop avahi-daemon.socket avahi-daemon.service || true
invoke-rc.d --force avahi-daemon stop || true log_disable_warning
else elif [ -x "/etc/init.d/avahi-daemon" ]; then
if [ -x "/etc/init.d/avahi-daemon" ]; then /etc/init.d/avahi-daemon stop || true
/etc/init.d/avahi-daemon stop || true log_disable_warning
fi
fi
if [ -x /usr/bin/logger ]; then
logger -p daemon.warning -t avahi <<EOF
Avahi detected that your currently configured local DNS server serves
a domain .local. This is inherently incompatible with Avahi and thus
Avahi disabled itself. If you want to use Avahi in this network, please
contact your administrator and convince him to use a different DNS domain,
since .local should be used exclusively for Zeroconf technology.
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
EOF
fi
fi fi
ensure_rundir ensure_rundir
touch ${DISABLE_TAG} touch ${DISABLE_TAG}

View File

@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
Group: System/Daemons Group: System/Daemons
URL: http://www.avahi.org/ URL: http://www.avahi.org/
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz # From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
Source1: avahi-daemon-check-dns.sh Source1: avahi-daemon-check-dns.sh
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel. # Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
Source4: avahi-glib-gettext.m4 Source4: avahi-glib-gettext.m4
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires: nss-mdns Requires: nss-mdns
Requires: sudo
Requires(pre): shadow Requires(pre): shadow
# #
# mDNSResponder was used for <= 10.2: # mDNSResponder was used for <= 10.2:

View File

@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
Group: Development/Languages/Mono Group: Development/Languages/Mono
URL: http://www.avahi.org/ URL: http://www.avahi.org/
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz # From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
Source1: avahi-daemon-check-dns.sh Source1: avahi-daemon-check-dns.sh
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel. # Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
Source4: avahi-glib-gettext.m4 Source4: avahi-glib-gettext.m4
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires: nss-mdns Requires: nss-mdns
Requires: sudo
Requires(pre): shadow Requires(pre): shadow
# #
# mDNSResponder was used for <= 10.2: # mDNSResponder was used for <= 10.2:

View File

@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
Group: System/Daemons Group: System/Daemons
URL: http://www.avahi.org/ URL: http://www.avahi.org/
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz # From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
Source1: avahi-daemon-check-dns.sh Source1: avahi-daemon-check-dns.sh
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel. # Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
Source4: avahi-glib-gettext.m4 Source4: avahi-glib-gettext.m4
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires: nss-mdns Requires: nss-mdns
Requires: sudo
Requires(pre): shadow Requires(pre): shadow
# #
# mDNSResponder was used for <= 10.2: # mDNSResponder was used for <= 10.2:

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Tue Feb 16 22:37:35 UTC 2021 - Michael Gorse <mgorse@suse.com>
- Update avahi-daemon-check-dns.sh from Debian. Our previous
version relied on ifconfig, route, and init.d.
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
when invoking avahi-daemon-check-dns.sh (boo#1180827
CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 10 20:09:43 UTC 2021 - Jan Engelhardt <jengelh@inai.de> Wed Feb 10 20:09:43 UTC 2021 - Jan Engelhardt <jengelh@inai.de>

View File

@ -52,7 +52,7 @@ License: LGPL-2.1-or-later
Group: System/Daemons Group: System/Daemons
URL: http://www.avahi.org/ URL: http://www.avahi.org/
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz # From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
Source1: avahi-daemon-check-dns.sh Source1: avahi-daemon-check-dns.sh
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel. # Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
Source4: avahi-glib-gettext.m4 Source4: avahi-glib-gettext.m4
@ -105,6 +105,7 @@ BuildRequires: libevent-devel >= 2.1.5
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires: nss-mdns Requires: nss-mdns
Requires: sudo
Requires(pre): shadow Requires(pre): shadow
# #
# mDNSResponder was used for <= 10.2: # mDNSResponder was used for <= 10.2: